Employers and Technology
Since the 1990s, there is an evident change and explosive increase in the use of technology in the workplace. The evolution of workplace computing in the decades to follow created an unprecedented economic expansion that changed business forever. That technology brings obligations for employers to protect their employees’ workplace privacy.
Ever since the mid-1990s, employers have had an insatiable appetite for technology in their organizations. Before Alan Greenspan’s comment above, Michael Porter, the grandfather of modern competitive strategy, wrote about this. “Companies that anticipate the power of information technology will be in control of events. Companies that do not respond will be forced to accept changes that others initiate and will find themselves at a competitive disadvantage.”
The bottom line is that technology is a key enabler of scalability and productivity growth. Employers cannot stop investing in technology-driven improvements in their organizations without the risk of competitive loss or failure. Those investments, however, bring new obligations and risks.
Employees and Technology
Employees are caught in the crossfire as their employers fight for survival, growth, and market share. Technology vendors operate with few restrictions, leaving the consequences of their technologies in the hands of their customers.
An increasing number of technologies have been made available that intentionally or unintentionally monitor employee activities. This has also created a conflict between employers and employees. What are the expectations and entitlement to workplace privacy for employees? How are those balanced with an employer’s need to run a competitive business?
Monitoring Employees in the Workplace
One common case of monitoring employee activities involves monitoring employee key performance measurements (KPIs). This can quickly alert their employer to early signs of productivity loss. One of the most publicized examples of this approach is at Amazon Inc. Amazon has created an extensive technology-driven system for not only monitoring employee productivity in their distribution warehouses. They have even automated the process of terminating employees.
Other off-the-shelf technologies provided over the years have enabled employers to monitor employees’ activities in real-time. These technologies range from in-office camera surveillance to technologies that enable managers to monitor employees computer usage in real time. The Covid-19 SARS-2 pandemic drove many employers to initiate remote work strategies. Employers’ desire to maintain productivity during the pandemic led technology vendors to adapt quickly to the “new normal”. They started market technologies that bring in-office surveillance into employees’ homes. One such vendor is StaffCop, the provider of “Employee Monitoring and Threat Detection Software”. This is a clearly ominous name if you’re the employee being monitored.
Employee Expectations of Workplace Privacy
One recent workplace privacy case was the firing of a school custodian in Alberta, Canada. They refused to install an application at the demand of an employer that would track their GPS location data.
Courts and arbitration rulings have held that employees have a right to a reasonable expectation of privacy when in the office. Employees can be expected to use any device provided by an employer for some degree of personal activity – even if employer policies attempt to restrict personal use. The dependence that all people have on internet-accessed services such as urgent family communications, personal banking, and accessing employment-related information from government or other sources makes at-work bans for personal use unenforceable.
The most important workplace privacy issues for employers to be aware of are:
- Ownership of a computer by an employer reduces but does not eliminate the expectation of privacy by an employee
- Computers that are used for personal purposes, in addition to work purposes, can reveal personal employee information that greatly reinforces the employee’s expectation of privacy
- Written company policies are relevant when assessing the expectation of privacy but do not eliminate an expectation of privacy
- The expectation that others such as a company’s IT personnel would have access to a computer reduce but do not eliminate the expectation of privacy
- Privacy expectations of an employee can extend to any manner of an electronic device such as a smartphone
- The requirement of an employee to use their personal smartphone device for work purposes greatly reduces the employer’s right to use surveillance technology on that device
- Allowing employees “incidental” personal use of a device reinforces the expectation of privacy
Simply writing up a policy in an employee handbook will not allow employers to monitor employees without restraint.
Risks for Employers
The risk for employers where technology intersects with an employee’s right to workplace privacy is not only legal but reputational.
The legal risks are obvious. In California, settled cases of wrongful dismissal range from $5,000 – $90,000. Cases going to trial range from $100,000 to $350,000.
The reputation costs are harder to assess. A news article on the internet is a global article that will persist for many years. Chances are any prospective employee will search for information about their employer on the internet. This impacts a company’s ability to recruit and retain the highest quality staff and drives prospective employees to their competitors.
Worse, some employers may not even be aware of the risks. They simply chose a technology with good intentions, but the company that created this technology did so in a way that violates an employee’s expectations of privacy.
Fired For Refusing To Be GPS Tracked?
In the Alberta school custodian’s firing case, the employer was using a “geofencing” software application to monitor an employee’s location. The software developer’s website stated at the time, “…when your employees enter or leave the geofence, (the application) picks up their location and asks them to clock in or out—helping you to see exactly where your staff have worked and how long for.”
Geofencing is a modern take on the time clock or punch card system. It is typically used where employees are paid for work on an hourly basis and direct supervision is not practical. It prevents common timesheet fraud that affects 75% of U.S. organizations. This can cost those organizations as much as 7% of gross annual payroll.
In the Alberta situation, the software company made a crucial design mistake in their software development process. This raises the ethical question that should confront ALL technology companies. “What considerations are required of technology companies during the design and development stage that maintain employee privacy on behalf of their customers?”
GPS Tracking and “Geofencing”
The advent of “big data” collection and the use of artificial intelligence technologies and analytical tools to make sense of large data sets has brought on new ethical debates and imposed a new moral responsibility on technology companies and employers.
In the Alberta case, the software company created their product with what seemed to be good intentions. The software would know when an employee entered the geofence and trigger a reminder to the employee to “check in”. Simple, yes? Employees have checked in using time clocks or punch cards since they were invented in 1888. Not so simple? In order to know when an employee is near the geofence, the software would have to monitor employee locations continuously. Of course, this is not ideal in regard to workplace privacy.
Geofencing
Other companies that provide geofencing in their time & attendance automation software include Celayix Inc. For over 20 years, we have been providing employee shift-scheduling and time & attendance automation software. However, Celayix’s geofencing solution is architected with a critical difference: there is no continuous tracking of an employee’s GPS location.
Instead, the Celayix mobile app is opened by the employee. Then, the employee chooses to check-in or check-out at their discretion. Only when the employee chooses, the Celayix app checks their location. It then tells both the employee and the employer whether the check-in or check-out occurred within the geofence. If they are outside the geofence area, the employee is either prevented from checking-in or checking-out or they are optionally allowed to continue, and the location coordinates are stored for employer reporting purposes. There is no continuous GPS tracking enabled by the Celayix mobile app, ensuring employers can safely automate their staff shift check-ins and check-outs without violating workplace privacy.
Better Communication Can Avoid Problems
The Alberta story also highlights an issue of education: a key aspect of the affected employee’s complaint is that the employer could not explain how their personal data was captured, stored, and protected. Employers need to understand these issues and communicate them to their employees clearly and regularly. Technology companies need to make their products and services data protection and privacy information available to their customers. This can be done, as in the case of Celayix, in a Privacy Policy statement on their website, and in communications in their sales and marketing processes.
Other privacy-related technology decisions that start with a technology company but fall on the shoulders of employers include data storage and transmission. Every day there are multiple data breaches by bad actors where that data ends up exposed on the dark web for view or purchase by other bad actors.
Are Employers Responsible for Data Breaches?
A 2018 ruling in Pennsylvania Supreme Court found that employers have a responsibility for reasonable protection of employee data. Although data breaches are a regular occurrence, even so, an employer has a responsibility to take reasonable steps to ensure that their employee data is protected from these breaches.
In the example of Celayix Inc.’s employee scheduling and time & attendance software, Celayix chose to encrypt all data at rest and in transmission. Although it seems obvious to the average person that data encryption should always be used by technology companies, encryption takes time. In many cases, technology companies trade off data security for performance. Sometimes they make the protection of data an option – sometimes at a higher price to their customers. Technology vendors need to avoid this devil’s bargain and consider the risks they are imposing on their customers.
Clearly, there are moral and ethical considerations possible by providers of technologies that can address the same organizational problems that do not put employers at risk when they use these technologies for reasonable purposes.
Because “The Internet”
The Internet has increased the impact of an employer’s failure to protect employee information, and with that, the enormous costs of fixing that failure.
Before the internet was something we all depended on in our daily lives, privacy was largely self-managed: the only way people would know anything about you as if you told them. Even so, the spread of that information was limited to if and how many people your confidants told, and so on.
Today, information is spread globally in seconds. Even deleting a Twitter or Facebook post doesn’t solve a problem; The Wayback Machine is a digital archive of internet content with over 556 billion pieces of content stored since 1996. Sites like BackTweets can let you search for public Twitter or Facebook posts whether deleted or not. Any real privacy an individual has is lost the minute another person has their information. The evolution of the Dark Web, an encrypted anonymous network within the Internet frequently used for selling the personal data acquired through data security breaches, has given rise to online stores where that data can be purchased for purposes of identity theft, spam lists, and scams designed to part us from our money.
As a result, it is much easier for an employee to show that a failure of an employer to minimize employee monitoring, data collection, data protection, and privacy has come with a social and economic cost. Employers need to be educated on best practices and update their data security practices and processes to ensure shared personal information with an employer is both necessary and protected from release.
Privacy Laws and Protections
There are laws in place to protect the privacy of individuals that include employees. These laws typically limit their scope to personally identifying information, health, financial, legal, DNA, and personnel reviews.
The United States Privacy Act of 1974 addresses issues of information privacy for the Federal government. The U.S. does not have a central personal privacy law like that of Canada or the European Union. This responsibility appears at the state level, but only three states have privacy laws for consumers as of the writing of this article: California, Nevada, and Maine.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how commercial for-profit organizations manage personal information. It does not apply to non-profit groups, charities, political parties, associations, or the Canadian government. The Canadian government is governed by the separate Privacy Act.
More privacy laws are not the solution to this problem. The nature of data breaches that are often coming from overseas actors that are out of reach of justice where the breach took place. By then the proverbial horse has left the barn; better data protection and privacy protection policies will help keep the barn doors closed.
What Should Employers Do to Protect Employee Privacy?
If you’ve read all the way through, hopefully, you’ve learned something. If you’ve skipped to the end of this article and want to come back to the rest of it later, that’s ok.
Here’s what you can take away if you want a checklist:
- Know that a total ban on personal use of company systems is likely not practical or enforceable
- Monitoring and accessing information that can reveal employees’ meaningful and intimate information, even as simple as browser histories, can create risk for employers
- Capture or store information only that is mission critical
- Any employee monitoring should begin with a clearly documented organizational requirement
- Any employee monitoring should begin with the least invasive method and expand only when the current method does not work
- Ensure that your technology vendor explains clearly and in non-technical terms if and how employee data is captured, stored, and protected
- Develop employee workplace privacy policies that are clear
- Ensure managers are trained to communicate, monitor, and apply your policies immediately and consistently
- Ensure any employee data (or customer data for that matter) is encrypted both in transmission and at-rest
- Implement an employee retention policy that explains for how long and how data will be kept and destroyed
Management teams are employees and are often subject to the same organizational policies and risks as their staff. Keeping your own workplace privacy in mind when developing and implementing your data privacy policies and processes will go a long way to ensuring a positive work environment for everyone.